From 649d4bf8aa1e957d6a059dd265d5c9b313a43f15 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 30 Jul 2007 08:58:39 +0000 Subject: r24074: Test both permitted logon hours and permitted workstations in the RPC-SAMLOGON test. This showed that, as noted by bug #4823, we didn't test for invalid workstations. In fact, the code had been ported across, but because untested code is broken code, it never worked... Andrew Bartlett (This used to be commit 5e07417ada56d189a911ef888b0c87adebe60763) --- source4/auth/sam.c | 3 +- source4/torture/rpc/samlogon.c | 75 +++++++++++++++++++++++++++++++++++++++--- source4/torture/rpc/testjoin.c | 1 + 3 files changed, 73 insertions(+), 6 deletions(-) (limited to 'source4') diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 2fb0a239ff..6e160941d8 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -46,7 +46,6 @@ const char *user_attrs[] = { "pwdLastSet", "accountExpires", "logonHours", - "objectSid", /* check 'allowed workstations' */ @@ -213,7 +212,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, DEBUG(10,("sam_account_ok: checking for workstation match '%s' and '%s'\n", workstations[i], logon_workstation)); - if (strequal(workstations[i], logon_workstation) == 0) { + if (strequal(workstations[i], logon_workstation)) { invalid_ws = False; break; } diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 10cb1b4557..2baeda5a75 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -24,6 +24,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_netlogon_c.h" +#include "librpc/gen_ndr/ndr_samr_c.h" #include "auth/auth.h" #include "lib/crypto/crypto.h" #include "lib/cmdline/popt_common.h" @@ -33,6 +34,8 @@ #define TEST_MACHINE_NAME "samlogontest" #define TEST_USER_NAME "samlogontestuser" +#define TEST_USER_NAME_WRONG_WKS "samlogontest2" +#define TEST_USER_NAME_WRONG_TIME "samlogontest3" enum ntlm_break { BREAK_BOTH, @@ -1476,13 +1479,15 @@ BOOL torture_rpc_samlogon(struct torture_context *torture) struct cli_credentials *machine_credentials; TALLOC_CTX *mem_ctx = talloc_init("torture_rpc_netlogon"); BOOL ret = True; - struct test_join *join_ctx; - struct test_join *user_ctx; - char *user_password; + struct test_join *join_ctx = NULL; + struct test_join *user_ctx = NULL, *user_ctx_wrong_wks = NULL, *user_ctx_wrong_time = NULL; + char *user_password, *user_password_wrong_wks, *user_password_wrong_time; const char *old_user_password; char *test_machine_account; const char *binding = torture_setting_string(torture, "binding", NULL); const char *userdomain; + struct samr_SetUserInfo s; + union samr_UserInfo u; int i; int ci; @@ -1514,7 +1519,7 @@ BOOL torture_rpc_samlogon(struct torture_context *torture) ACB_NORMAL, (const char **)&user_password); if (!user_ctx) { - d_printf("Failed to join as Workstation\n"); + d_printf("Failed to create a test user\n"); return False; } @@ -1524,6 +1529,57 @@ BOOL torture_rpc_samlogon(struct torture_context *torture) TEST_USER_NAME, 16 /* > 14 */, &user_password, NULL, 0, False); + user_ctx_wrong_wks = torture_create_testuser(TEST_USER_NAME_WRONG_WKS, + userdomain, + ACB_NORMAL, + (const char **)&user_password_wrong_wks); + if (!user_ctx_wrong_wks) { + d_printf("Failed to create a test user (wrong workstation test)\n"); + return False; + } + + ZERO_STRUCT(u); + s.in.user_handle = torture_join_samr_user_policy(user_ctx_wrong_wks); + s.in.info = &u; + s.in.level = 21; + + u.info21.fields_present = SAMR_FIELD_WORKSTATIONS; + u.info21.workstations.string = "not" TEST_MACHINE_NAME; + + status = dcerpc_samr_SetUserInfo(torture_join_samr_pipe(user_ctx_wrong_wks), mem_ctx, &s); + if (!NT_STATUS_IS_OK(status)) { + printf("SetUserInfo (list of workstations) failed - %s\n", nt_errstr(status)); + ret = False; + goto failed; + } + + user_ctx_wrong_time + = torture_create_testuser(TEST_USER_NAME_WRONG_TIME, + userdomain, + ACB_NORMAL, + (const char **)&user_password_wrong_time); + if (!user_ctx_wrong_time) { + d_printf("Failed to create a test user (wrong workstation test)\n"); + return False; + } + + ZERO_STRUCT(u); + s.in.user_handle = torture_join_samr_user_policy(user_ctx_wrong_time); + s.in.info = &u; + s.in.level = 21; + + u.info21.fields_present = SAMR_FIELD_WORKSTATIONS | SAMR_FIELD_LOGON_HOURS; + u.info21.workstations.string = TEST_MACHINE_NAME; + u.info21.logon_hours.units_per_week = 168; + u.info21.logon_hours.bits = talloc_zero_size(mem_ctx, 168); + + status = dcerpc_samr_SetUserInfo(torture_join_samr_pipe(user_ctx_wrong_time), mem_ctx, &s); + if (!NT_STATUS_IS_OK(status)) { + printf("SetUserInfo (logon times and list of workstations) failed - %s\n", nt_errstr(status)); + ret = False; + goto failed; + } + status = dcerpc_parse_binding(mem_ctx, binding, &b); if (!NT_STATUS_IS_OK(status)) { d_printf("Bad binding string %s\n", binding); @@ -1706,6 +1762,15 @@ BOOL torture_rpc_samlogon(struct torture_context *torture) .expected_interactive_error = NT_STATUS_WRONG_PASSWORD, .expected_network_error = NT_STATUS_OK, .old_password = True + }, + { + .comment = "test user (wong workstation): domain\\user", + .domain = userdomain, + .username = TEST_USER_NAME_WRONG_WKS, + .password = user_password_wrong_wks, + .network_login = True, + .expected_interactive_error = NT_STATUS_INVALID_WORKSTATION, + .expected_network_error = NT_STATUS_INVALID_WORKSTATION } }; @@ -1777,5 +1842,7 @@ failed: torture_leave_domain(join_ctx); torture_leave_domain(user_ctx); + torture_leave_domain(user_ctx_wrong_wks); + torture_leave_domain(user_ctx_wrong_time); return ret; } diff --git a/source4/torture/rpc/testjoin.c b/source4/torture/rpc/testjoin.c index 31d782ae24..a349178563 100644 --- a/source4/torture/rpc/testjoin.c +++ b/source4/torture/rpc/testjoin.c @@ -232,6 +232,7 @@ again: printf("Setting account password '%s'\n", random_pw); + ZERO_STRUCT(u); s.in.user_handle = &join->user_handle; s.in.info = &u; s.in.level = 24; -- cgit